The software that lets people enrol for the Aadhaar programme, and provides them with the unique 12-digit number has reportedly been breached, and is allegedly being sold for prices ranging from Rs 500 to Rs 2,000.
According to a report published by Asia Times on Tuesday, 1 May, anybody willing to pay the money was given the power to create Aadhaar IDs for people in the country, or even update their details.
The software provided by the Unique Identification Authority of India (UIDAI) is called Enrolment Client Multi Platform (ECMP), and is said to be secure. It provides enrolment operators with access to the biometric database.
The report states that former operators with UIDAI have been part of the nexus which has been selling this software via WhatsApp groups, priced between Rs 500 to Rs 2,000.
UIDAI had strangely appointed private companies (on a contract basis) to work on the behalf of Aadhaar, and many of these operators’ contracts were terminated earlier this year. The report quotes information security experts who managed to take a look at the leaked software and confirm that all guidelines of UIDAI had been bypassed.
This episode was first reported late last year when operators from Punjab were apparently selling the jailbreak version of the ECMP software and installing it on laptops to whoever was willing to pay for it.
With this version, anybody is able to bypass the biometric and geolocation safeguards to access Aadhaar details of any person.
This way, anybody can claim to be an operator working with UIDAI and be able to collect confidential information from people for devious reasons. That person need not even be a resident of the country, now that geolocation parameters seem to have been breached as well.
The data breach controversies surrounding Aadhaar and its claimed secure infrastructure set up have been well documented, but it’s concerning to see that none of the organisations involved with Aadhaar have responded to the allegations of this latest breach.
A few months back, a similar data breach story was reported in the country, and instead of looking into the matter, UIDAI had seen it fit to file a case against the reporter who highlighted the issue.
What action will the UIDAI take this time? Investigate the breach or deny the authenticity of the latest report?
(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit Send.)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)